Bug Bytes #13 – Shopify RCE, 0xpatrik’s interview & XSS in Google Search

By intigriti_inti

April 9, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

You can sign up for the newsletter here.

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 29 of March to 05 of April.

Our favorite 5 hacking items

1. Resource of the week

Introducing the Web Security Academy

The Web Security Acedemy is a new online training on Web security. What’s great about it that it’s free, and it’s from PortSwigger the company behind Burp Suite and The Daily Swig. Also, Dafydd Stuttard who is part of the team that created it, is the author of The Web Application Hacker’s Handbook.
All this to say that it is high quality like everything that the company produces.
There are only 4 modules for now: SQL injection, XSS, OS command injection and Directory traversal. Each one includes theory, resources and practical labs, plus related stories from The Daily Swig at the end of the page.
More vulnerabilities and labs will be added in the next months.

2. Writeup of the week

Handlebars template injection and RCE in a Shopify app & HackerOne report ($10,000)

This is an awesome writeup! What I love about it most us that @Zombiehelp54 initially reported a “possible template injection”. He wasn’t sure it was exploitable or even valid, and just explained the app’s behaviour that led him to think it was vulnerable.
Then he kept trying and ~2 months later, he was able to identify the template used (handlebars) and escalate to a full SSTI/RCE.
So this is an excellent example of perseverence, a well-written report, escalating from an “almost bug” to RCE, and how to exploit an SSTI on an initially unknown template engine.

3. Tool of the week


If you have tried automating your recon, you might have noticed that some interesting platform identification tools like Wappalyzer and BuiltWith have expensive APIs. There are many free alternatives like Webtech or Whatweb, but I like using different tools and combining their results to avoid erroneous results.
So Webanalyze is a good addition to my workflow. It’s a port of Wappalyzer in Go. It doesn’t require any API key because it uses the apps.json from the Wappalyzer project, which contains signatures to identify technologies.
Here are example outputs:
webanalyze -hosts hosts.txt  -output csv
2019/04/07 20:54:37 Scanning with 4 workers.
Host,Category,App,Version,Web Servers,Google Web Server,,”Web Servers,Reverse Proxy”,Nginx,,JavaScript Libraries,jQuery,
webanalyze -host
2019/04/07 20:55:29 Scanning with 4 workers.
2019/04/07 20:55:32 [+] (2.657574548s):
2019/04/07 20:55:32     – Apache Traffic Server,  (Web Servers)
2019/04/07 20:55:32     – YUI,  (JavaScript Libraries)
2019/04/07 20:55:32     – React,  (JavaScript Frameworks)

4. Non technical item of the week

Bringing Cybersecurity into Academia: We Talk with Patrik Hudak

I’m a huge fan of Patrick Hudak’s blog His articles on subdomain takeover, recon and OSINT are so detailed and well-written, they’re like mini e-books!
So it was interesting to learn more about him through this interview. His work on subdomain takeovers and subdomain enumeration was actually part of his master thesis.
I really want to read that now, as not all theses are as practical and financially rewarding!
This might give you ideas if you’re a student.

5. Video of the week

XSS on Google Search – Sanitizing HTML in The Client?

This is a mindblowing video writeup of an XSS on Google Search. The vulnerable parameter (q) and URL ( are used by millions of people. It was vulnerable for almost 5 months until @kinugawamasato found the bug!
This shows that there are always bugs even in the most tested and secure apps.
Also, the video is full of interesting information on:
– Mutation XSS
– Why HTML parser libraries for XSS prevention are placed client-side
– Why the same tag can be interpreted in two different ways by the browser
– The reason is that <template> has JS disabled. And the browser parses <noscript> differently if JS is enabled or disabled.
– How to debug complex DOM XSS: Use `onerror=debugger;`. It triggers a breakpoint in the JS debugger when the XSS is executed.

Other amazing things we stumbled upon this week



Webinars & Webcasts


Slides only


Medium to advanced

Beginners corner


Challenge writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

  • Anew: A tool for adding new lines to files, skipping duplicates. Useful for recon automation

  • Burp Extension that extracts the parameters from sites in scope or from a selected site so you can use them in Intruder (useful to test for mass assignments)

  • Graphqlschema2payload: Helps recreate GraphQL payloads from a GraphQL Schema

More tools, if you have time

  • Pastebin dump: A website listing daily Pastebin dumps

  • Shodan-Seeker: Command-line tool using Shodan API. Generates and downloads CSV results, diffing of historic scanning results, alerts and monitoring of specific ports/IPs, etc

  • Giggity: Wraps github api for openly available information about an organization, user, or repo

  • Fracker: PHP function tracker

  • Script to decode and decrypt Android Keystores (only software) & Slides (in French)

  • Fireprox: AWS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotation

  • SharpGPOAbuse: A .NET application written in C# that can be used to take advantage of a user’s edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO

  • KatzKatz: Python script to parse txt files containing Mimikatz output & generate the valid creds into a CSV file

  • QRLJacker: QRLJacking Exploitation Framework

  • APC-PPID: Adds a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread and spoof the Parent Process (for red teamers)

Misc. pentest & bug bounty resources




Bug bounty news




Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/22/2019 to 03/29/2019.

Curated by Pentester Land & Sponsored by IntigritiDisclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

You may also like